Authentication Providers

The authentication layer is the message layer
on which authentication processing must be performed. GlassFish Server enforces
web services message security at the SOAP layer. The types of authentication
that are supported include the following:

Sender authentication, including username-password authentication

Content authentication, including XML digital signatures

GlassFish Server invokes authenticationproviders to process SOAP message layer security. The message security providers
provide information such as the type of authentication that is required for
the request and response messages. The following message security providers
are included with GlassFish Server:

Client-side Provider. A
client-side provider establishes (by signature or username/password) the source
identity of request messages and/or protects (by encryption) request messages
such that they can only be viewed by their intended recipients. A client-side
provider also establishes its container as an authorized recipient of a received
response (by successfully decrypting it) and validates passwords or signatures
in the response to authenticate the source identity associated with the response.
Client-side providers configured in GlassFish Server can be used to protect the
request messages sent and the response messages received by server-side components
(servlets and EJB components) acting as clients of other services.

The default client provider is used to identify the client—side
provider to be invoked for any application for which a specific client provider
has not been bound.

Server-side Provider. A
server-side provider establishes its container as an authorized recipient
of a received request (by successfully decrypting it), and validates passwords
or signatures in the request to authenticate the source identity associated
with the request. A server-side provider also establishes (by signature or
username/password) the source identity of response messages and/or protects
(by encryption) response messages such that they can only be viewed by their
intended recipients. Server-side providers are only invoked by server-side
containers.

The default server provider is used to identify
the server—side provider to be invoked for any application for which
a specific server provider has not been bound.